Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Private mongodb credentials in production environment #9

Closed
timothybone opened this Issue · 1 comment

2 participants

@timothybone

Sorry if this is a very beginner question but...

Is there a way of using this in a production environment, and be able to keep your database credentials private?

I ask because this puts all the database work on the client side, right?

@pkozlowski-opensource

@timothybone I assume that by "database credentials" you mean the apiKey from the MongoLab, right? If so, the current MongoLab adapter just relays on what is available in MongoLab and the current authentication mechanism for the RESTFul API is only based on the API key and gives full read / write access to the entire database:

From: https://support.mongolab.com/entries/20433053-rest-api-for-mongodb

Please note that this apiKey will give full access to all data within the databases belonging to your MongoLab account. If you do not have it secured on an app server, someone can gain access to it and your data.

If you want to use the MongoLab in production for non-public data you will need a server cooperating and providing security mechanism. Please note that the current adapter has an option of specifying a base URL so you can simply "hide" RESTful URLs behind a thin proxy as we did in the angular-app:
https://github.com/angular-app/angular-app/blob/master/server/server.js#L62

So, while MongoLab REST api is great for demos and publicity available data it is not enough for private, sensitive data and you need provide authentication on the server.

One more observation: exposing apiKey mind sound scary but please note that any RESTful API that gives ability to query, modify and delete data exposes whole data set to the external world. So the whole problem is more linked to exposing and securing RESTful APIs and not limited to the MongoLab or this adapter.

Closing this issue, we can discuss more on the mailing list.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.